Modern applications rely on open source libraries, runtimes, databases, and base images as raw materials, making them vulnerable to software supply chain attacks. The increasing use of open source components in codebases has created a need for reliable tools to ensure security, compliance, and provenance of software and its dependencies. To address this, developers can learn from practices and tools like finding and fixing known vulnerabilities, building a source of truth for open source packages, and combining continuous packaging and security into a delivery pipeline.